Tech

Three months later, culprit in Google China attacks is elusive

Progress made in investigation, experts say; political sensitivity ramped up

By

JohnLetzing

SAN FRANCISCO (MarketWatch) -- Google Inc.'s decision earlier this week to dodge China's Internet censorship came roughly three months after the cyber-attacks that set off the imbroglio were detected. Yet the attacks have yet to be definitively traced.

'There was a lot of up-front recon work that went into this that people may not be aware of.'
McAfee CTO George Kurtz

The lack of closure in the ongoing investigation into the incursions, which targeted intellectual property at dozens of companies other than Google
GOOG, +0.01%
highlights the increasingly sophisticated nature of cyber-crime.

Google announced in January that it had been hit with a cyber-attack "originating from China," which was aimed at stealing intellectual property and identifying email users advocating for human rights. As a result, Google made a futile attempt to negotiate with Chinese authorities over offering uncensored search service in China, ultimately opting to provide unfiltered service via Hong Kong-based google.com.hk.

While speculation has swirled that the Chinese government was the culprit behind the cyber-attacks, no concrete evidence has surfaced to back that up.

What is clear is that the attacks on more than 30 different companies were of unprecedented scope, sophistication and speed, experts said.

"We're making a lot of progress in beginning to understand what happened," said Francis deSouza, senior vice president of Symantec Corp.'s enterprise-security group.

Security-software maker Symantec
SYMC, -1.59%
is advising a number of clients hit by what the company has termed the "Hydraq" attacks, according to deSouza -- who pointed out that what's been learned so far about them is unnerving.

For example, the early stage of "discovery" -- or the mapping of a targeted company's network -- usually requires up to a year, the executive said, while "in the Hydraq cluster of attacks, the discovery stage lasted six to 10 days." DeSouza added that taken all together, the attacks were "broader than anything we've ever seen."

Other companies that have disclosed being hit with attacks at roughly the same time as Google include Adobe Systems Inc.
ADBE, +0.51%
Intel Corp.
INTC, -0.83%
and Juniper Networks Inc.
JNPR, -0.70%

Countries commonly launch cyber-attacks against each other, according to McAfee Inc. Chief Technology Officer George Kurtz. Those with the most active programs are the United States, Russia, China, France and Israel, he said.

But while most attacks among nations target one another's infrastructure, the assault on Google was seemingly unique. "What was different here was a country targeting a corporation," Kurtz commented.

'A lot of up-front recon'

Kurtz, who said McAfee
MFE, -0.50%
has worked with roughly a half-dozen companies hit by the same attacks that targeted Google, stressed that it's impossible to know at this point which country, if any, was the instigator.

Of particular interest was the "social footprinting" that went into the attacks, he elaborated. For example, efforts were made to identify employees with access to a company's source code or other intellectual property. Attackers then posed as social acquaintances of those employees to encourage them to click on links that could ultimately enable theft.

"There was a lot of up-front recon work that went into this that people may not be aware of," Kurtz said.

Last month, the New York Times reported that the attacks were traced to computers at Shanghai Jiaotong University and the Lanxiang Vocational School in China. No public disclosures have since been made about their source. Experts say an attack originating in one country can easily be made to appear as if it's coming from another.

Gartner Inc. analyst John Pescatore said the time it's taking to identify the guilty party is unusual. "In a couple of weeks, typically, you have an indication," he added.

However, the source of the attacks is "the least important part of any of this," Pescatore noted, compared with simply figuring out how they were made and how to prevent them. "The part about catching the bad guy is nice, but for a company and its shareholders, that's way down the priority list."

In addition, there is a general reluctance to publicly discuss the source and methods of cyber-crime, often for good reason. Robert Maley, Pennsylvania's chief information-security officer, was dismissed shortly after publicly describing a hacking incident suffered by the state at a conference in San Francisco earlier this month.

"That's impacting many security peoples' willingness to talk," Pescatore said. Maley could not be reached for comment.

Meanwhile, the heated back-and-forth between the U.S. and Chinese governments over Google and other matters has only increased sensitivity. The White House has lent support to Google's position, while Chinese state media has portrayed the affair as a political conspiracy concocted by American officials.

Attributing cyber-attacks is sensitive, China specialist Larry Wortzel said in testimony prepared for a House Foreign Affairs Committee hearing earlier this month, "because if one describes how attribution is achieved, it tells the intruder how to modify its operations and make them more effective."

Still, Wortzel went on to say: "It is the organs of control and repression in China that need the type of information that was extracted from Google," while conceding that "I cannot prove this beyond a reasonable doubt in a court of law."

So far, the only clearly identified offender in the matter has been Microsoft Corp.'s
MSFT, -0.35%
Internet Explorer browser -- a technology now known to have been used in the attacks on Google and others.

Microsoft has since issued a patch for the vulnerability in its browser.

Intraday Data provided by SIX Financial Information and subject to terms of use. Historical and current end-of-day data provided by SIX Financial Information. All quotes are in local exchange time. Real-time last sale data for U.S. stock quotes reflect trades reported through Nasdaq only. Intraday data delayed at least 15 minutes or per exchange requirements.